Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

req help: creating access-lists

cisco 2651XM router

IOS: c2600-adventerprisek9-mz.124-15.T8.bin

connected to internet by wic1-adsl card

I would like to configure my router to block the following ranges of ip's.

Start IP End IP

69.25.60.0 69.25.61.255

208.111.154.0 208.111.154.255

209.249.86.0 209.249.86.255

problem is I'm beginner level at configuring the cisco router so I'd appreciate help in knocking up a set of access lists that will do this job. Thanks for any advice.

7 REPLIES

Re: req help: creating access-lists

Hi

access-list xxx deny ip 62.25.60.0 0.0.1.255 any

access-list xxx deny ip 208.111.154.0 0.0.0.255 any

access-list xxx deny ip 209.249.86.0 0.0.0.255

New Member

Re: req help: creating access-lists

thanks for your response adam I've now put those commands into my cli.

Re: req help: creating access-lists

Hi

There are plenty of free tools out there that will help you to create a wildcard mask and test it.

Boson do a nice one

http://www.boson.com

More on wildcard masks

http://en.wikipedia.org/wiki/Mask_(computing)#Inverse_Masks

Hall of Fame Super Gold

Re: req help: creating access-lists

New Member

Re: req help: creating access-lists

yes that page looks informative, thanks. I'll check it out.

New Member

Re: req help: creating access-lists

Also, one final note, 12.4(15)T8 supports named ACL's, as does almost any IOS these days. This is a highly recommended practice.

I have seen several times on our network where someone wants to remove a subnet from a numbered ACL and enters the following command...

no access-list xxx deny ip 208.111.154.0 0.0.0.255 any

Unfortunately, the router just reads this as no access-list xxx and deletes the entire ACL. The recommended way to do this would be as follows...

ip access-list extended

deny ip 62.25.60.0 0.0.1.255 any

deny ip 208.111.154.0 0.0.0.255 any

deny ip 209.249.86.0 0.0.0.255

exit

interface x/x

ip access-group

end

Named ACL's are also typically easier to find in the config. For example, if you were to use a numbered acl, say ACL 5, and later need to find where all it is used, you would have to search the config for "5" and that could appear many, many times. One final recommendation I make is that you use all caps when naming anything in your configuration. This makes it pretty simple to see what is something you named versus what is part of the routers parser syntax.

New Member

Re: req help: creating access-lists

ok thanks for this info rp.

218
Views
0
Helpful
7
Replies
CreatePlease to create content